Spoofing URLs With Unicode

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

Our Task is Obvious

[donnacha]

So, what would be the cyrillic for Slashdot.org?

I gave m1cr0s0ft.com my credit card number!!!!

Should I be concerned?

Re:I gave m1cr0s0ft.com my credit card number!!!!

[Roosey]

No, not at all. In fact, it's probably more secure there than with Passport. :]

Re:The site

[Servo5678]

Hey, that URL is infringing on my copyrights! It's similar to my business's name, Bq--at77w373jih7xepx7om7p6zx7oq Enterprises, Inc.

Lousy cybersquatters...

Think of the fun you could have with this!

[chabotc]

Ok, first take microsoft.com (alternate spelling), name your mail gateways identitcal to microsoft's, and then send out emails (as balmer@microsoft.com?) to a lot of MS employees, telling them to remove IE from XP ..

From there on, it only gets better and better. Think of the countries you would be able to influance, technology developement you could steer, and leaked memo's you could fabricate..

Damn i wish i had thought of it ;-)

Re:The site

[Indras]

Yes, but you're forgetting, "Bq--at77w373jih7xepx7om7p6zx7oq" cannot be trademarked, because it is a common word, like "door" and "window."